Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p25, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p25_Bundle_Oct_10_2024.tgz.enc.sig
- MD5 checksum: cb8325e5455808779cf5b89ed86b97bc
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
The latest Guardium health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes fixes for 12.0.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release notes just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Renewed Guardium patch signing certificate
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note) or an appropriate appliance bundle listed in the IBM Guardium - Patch signing certificate set to expire in March 2025 support document.
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note) or an appropriate appliance bundle listed in the IBM Guardium - Patch signing certificate set to expire in March 2025 support document.
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-79723 |
If the latest Guardium Installation Manager (GIM) bundles are installed on all existing GIM clients, you can replace GIM certificates from the Guardium appliance without taking additional action on the GIM clients. Use the following commands in the Guardium CLI:
This enhancement applies to the following GIM bundle versions and later:
|
| GRD-81705 |
During system config backup, all certificates from the Guardium appliance are added to the backup file. Those certificates are restored on a Guardium 12.1 or later appliance by running the restore backup command from the CLI.
|
| GRD-84656 |
Added CERTIFICATE_EXPIRATION parameter to the generate_ssl_key_universal_connector API.
|
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 12.0p20 | See the 12.0p20 release notes for more information | ||
| 12.0p25 | GRD-75941 | Need to include TLS version in grdapi get_secured_protocols_info | DT259587 |
| GRD-77441 | Importing Windows GIM and S-TAP bundles resulted in "Unexpected error occurred. Please contact the system administrator during import." | DT276407 | |
| GRD-79722 | Support server feature missing on version 11.5 appliance | DT397424 | |
| GRD-81287 | grdapi update_datasource_by_name wipes other fields when not defined | DT379148 | |
| GRD-81913 | EMEA-Guardium taking old CEF-ArcSight template | DT390815 | |
| GRD-82017 | Venafi commands failing on Guardium appliances 11.4 and 11.5 | DT394191 | |
| GRD-82299 | Custom GIM certificates managed by Venafi. Unable to complete the setup. | DT393955 | |
| GRD-82469 | In version 12.x, public time servers come up and cannot be deleted | DT394146 | |
| GRD-82527 | Issue in central manager CLI. Failed to query server: connection timed out | DT392818 | |
| GRD-82556 | grdapi export_config type=remotelog does not work when pushing to group | DT391870 | |
| GRD-82731 | p1234 needs to be installed more than once on central manager | DT391476 | |
| GRD-82881 | Health analyzer job runtime exception | DT390044 | |
| GRD-82989 | EMEA-CLI store system SNMP versions 2 and 3 both show as enabled | DT392878 | |
| GRD-83064 | Unable to delete config from UI, since config was not present in /var/IBM/Guardium/uc/config | DT397578 | |
| GRD-83222 | Test connection to Apache Cassandra fails with error "The native meta data is inconsistent." | DT393997 | |
| GRD-83537 | cli_userauth appliance attempting to renew UNIX password | DT392817 | |
| GRD-83568 | Version 12 Vulnerability Assessment query-based test finder not saving changes after creation | DT394206 | |
| GRD-83668 | Unable to ssh after SqlGuard-12.0p15_Bundle_Apr_23_2024 patch installation | DT392659 | |
| GRD-83838 | Importing a query report definition file exported in version 11.5 into version 12 aborts with error | DT394990 | |
|
GRD-83905
|
ServiceNow ticketing throws permissions issue when using a different table other than "incident"
|
||
| GRD-84011 | Test collector stopped sending policy alerts to user facility | DT394214 | |
|
GRD-84021
|
Make instance name optional for dynamic Microsoft SQL Server data source definition
|
||
| GRD-84022 | Failure to see messages in SIEM as long as 'all.all' <facility.priority> is configured in version 12.x | DT394147 | |
| GRD-84549 | Guardium certificate generated for Universal Connector is only valid for one month | DT396508 | |
|
GRD-84446
|
gdmmonitor script for Postgres on Amazon Relational Database Service (RDS) runs into an error
|
||
| GRD-86462 | Guardium 12 policy editor UI allows toggling of "Continue to next" on extrusion rules | DT397254 | |
| GRD-87819 | Duplicated in Group Builder after importing policies with shared groups | TS017242631 |
Security fixes
This patch resolves the following issues.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
|
12.0p6009
|
See the 12.0p6009 release notes for more information | ||
|
12.0p25
|
GRD-82307
|
PSIRT: PVR0507058 zlib-v1.2.12 (publicly disclosed vulnerability found by Mend)
|
CVE-2022-37434
|
|
GRD- 82997
|
PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (publicly disclosed vulnerability found by Mend) - datastreams
|
||
|
GRD-82998
|
PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (Publicly disclosed vulnerability found by Mend) - solr
|
||
|
GRD-83551
|
PSIRT: PVR0517481, PVR0501846, PVR0494026, PVR0501266, PVR0503505, PVR0503545, PVR0463909, PVR0463658, PVR0484500, PVR0473985, PVR0470261, PVR0485325, PVR0492721: Kernel version to update only in version 12
|
CVE-2023-4622
CVE-2023-4623
CVE-2023-5090
CVE-2023-45862
CVE-2023-52628
CVE-2024-0443
CVE-2024-0565
CVE-2024-25744
CVE-2024-26598
CVE-2024-26643
CVE-2024-26801
CVE-2024-26804
CVE-2024-26993
|
|
|
GRD-84425
|
PSIRT: PVR0500179 [All] Gnu GnuTLS - CVE-2024-28835 (publicly disclosed vulnerability)
|
CVE-2024-28834
CVE-2024-28835
|
|
|
GRD-84543
|
PSIRT: PVR0526191, PVR0503585, PVR0526211, PVR0495199, PVR0494744, PVR0494146, PVR0526251, PVR0525435, PVR0493201,PVR0492741 - [All] kernel - CVE-2024-35960, CVE-2024-27397, CVE-2024-35958, CVE-2024-26735 (publicly disclosed vulnerability)
|
CVE-2023-52439
CVE-2023-52450
CVE-2023-52458
CVE-2024-26585
CVE-2024-26601
CVE-2024-26735
CVE-2024-26808
CVE-2024-27397
CVE-2024-35958
CVE-2024-35960
|
|
|
GRD-87435
|
PSIRT: PVR0528822 [All] Oracle MySQL - July 2024 - CPU - 12.1 only - post 12.1 GA
|
CVE-2024-20996
CVE-2024-21125
CVE-2024-21127
CVE-2024-21129
CVE-2024-21130
CVE-2024-21134
CVE-2024-21135
CVE-2024-21137
CVE-2024-21142
CVE-2024-21157
CVE-2024-21159
CVE-2024-21160
CVE-2024-21162
CVE-2024-21163
CVE-2024-21165
CVE-2024-21166
CVE-2024-21170
CVE-2024-21173
CVE-2024-21176
CVE-2024-21177
CVE-2024-21171
CVE-2024-21179
CVE-2024-21185
|
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]
Was this topic helpful?
Document Information
Modified date:
27 May 2025
UID
ibm17171890